msdp

MSDP SA filtering - lab

19/12/10 13:26

On R3 we want to filter SA messages towards R2 so if we ping address 227.0.0.10 from R4 we should not get response.

Step 1:
create inte lo10 on R1 with ip address 10.10.10.10. This interface joins group 227.0.0.10

interface Loopback10
ip address 10.10.10.10 255.255.255.255
ip pim sparse-mode
ip igmp join-group 227.0.0.10
end

Step 2:
verify connectivity. From R4 ping 227.0.0.10

R4#ping 227.0.0.10 re 1
Sending 1, 100-byte ICMP Echos to 227.0.0.10, timeout is 2 seconds:
Reply to request 0 from 10.0.12.1, 24 ms

On R2 MSDP SA-caceh there's a entry for this traffic:

R2#sh ip msdp sa-cache
MSDP Source-Active Cache - 1 entries
(4.4.4.4, 227.0.0.10), RP 3.3.3.3, BGP/AS 300, 00:01:22/00:05:34, Peer 3.3.3.3
Learned from peer 3.3.3.3, RPF peer 3.3.3.3,
SAs received: 2, Encapsulated data received: 0

Step 3:
apply sa-filter on R3

We create and access-list matching the SA for the group:

R3#sh access-lists 104
Extended IP access list 104
10 deny ip host 4.4.4.4 host 227.0.0.10 log (5 matches)
20 permit ip any any (12 matches)

and apply the filter to peer R2 ip 2.2.2.2:

ip msdp sa-filter out 2.2.2.2 list 104

Check the sa-filter is properly applied:

R3#sh ip msdp peer
MSDP Peer 2.2.2.2 (?), AS 200
Connection status:
State: Up, Resets: 3, Connection source: Loopback0 (3.3.3.3)
Uptime(Downtime): 03:49:26, Messages sent/received: 241/241
Output messages discarded: 0
Connection and counters cleared 05:59:23 ago
Elapsed time since last message: 00:00:10
Local Address of connection: 3.3.3.3
Local Port: 639, Remote Port: 26547
SA Filtering:
Input (S,G) filter: none, route-map: none
Input RP filter: none, route-map: none
Output (S,G) filter: 104, route-map: none
Output RP filter: none, route-map: none
SA-Requests:
Input filter: none
Peer ttl threshold: 0
SAs learned from this peer: 0
Input queue size: 0, Output queue size: 0
Message counters:
RPF Failure count: 0
SA Messages in/out: 34/27
SA Requests in: 0
SA Responses out: 0
Data Packets in/out: 8/9

Now try to ping again from R4:

R4#ping 227.0.0.10 re 1
Sending 1, 100-byte ICMP Echos to 227.0.0.10, timeout is 2 seconds:
.

We don't get any answer, that is correct.

This is the capture of the filtered SA message that matched the access-list:

msdp_sa_4.4.4.4

On R2 the msdp sa-cache is empty:

R2#sh ip msdp sa-cache
MSDP Source-Active Cache - 0 entries

Now we verify that we can still reach 227.0.0.1 from R4 since this SA does not match ACL 104:

R4#ping 227.0.0.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 227.0.0.1, timeout is 2 seconds:
Reply to request 0 from 10.0.12.1, 56 ms

The entry is on R2 sa-cache:

R2#sh ip msdp sa-cache
MSDP Source-Active Cache - 1 entries
(4.4.4.4, 227.0.0.1), RP 3.3.3.3, BGP/AS 300, 00:00:27/00:05:45, Peer 3.3.3.3
Learned from peer 3.3.3.3, RPF peer 3.3.3.3,
SAs received: 2, Encapsulated data received: 1

We can apply sa-filter on both inbound and outbound direction on the msdp peers to a granular filtering of multicast sources between domains.

HTH

MSDP SA filtering - theory

15/12/10 19:08

Basics first.

*** SOURCE ACTIVE ***

What’s on a SA message?
Source Address of the source
Group address the data source send to
IP address of the RP

Who sends a SA?
Only RPs send and receive SA messages (only DR on shared networks)

When a SA messages is send?
When an RP in a PIM-SM domain first learns of a new sender, e.g., via
PIM register messages, it constructs a "Source-Active" (SA) message
and sends it to its MSDP peers.
(from RFC3618)

To who a SA message is forwarded?
If the MSDP peer receives the SA from a non-RPF peer towards the
originating RP, it will drop the message. Otherwise, it forwards the
message to all its MSDP peers (except the one from which it received
the SA message).
(from RFC3618)

*** SA REQUESTS ***

What’s on a SA request?
A multicast prefix with his its prefix lenght. When a host request a join to a particular group, the RP sends a SA request to its MSDP peers.

Who sends a SA request?
SA requests are sent only by RPs configured to do so and should be sent only to caching peers
(Routing TCP/IP vol2 page 610).

What’s on a SA response?
The RP address for the requested group, the group address and the source address for that group.

A Cisco router can filter both incoming and outgoing SA messages to and from a specific MSDP peer.

*** FILTERING INBOUND SOURCE ACTIVE MESSAGES ***

Accept from MSDP peer 10.0.0.1 only SA for groups 224.0.0.0/4 from sources in subnet 10.254.0.0/24:

access-list 101 permit 10.254.0.0 0.0.255.255 224.0.0.0 31.255.255.255
ip msdp sa-filter in 10.0.0.1 list 101

10.0.0.1 is the MSDP peer to which the filter is applied
10.254.0.0/24 is the range of multicast sources accepted
224.0.0.0/4 are the multicast groups accepted from this peer whit this sources

*** FILTERING OUTBOUND SOURCE ACTIVE MESSAGES ***

Send SA messages to peer 10.0.0.1 only from specific sources/groups:

access-list 102 permit 172.16.0.0 0.0.255.255 230.0.0.0 0.255.255.255
ip msdp sa-filter out 10.0.0.1 list 102

The SA messages can be local originated or forwarded from another MSDP peer.

*** FILTERING OUTBOUND LOCAL ORIGINATED SOURCES ***

This filter is applied to all MSDP peers but only for locally originated SA messages:

access-list 102 permit 192.168.1.0 0.0.0.255 231.0.0.0 0.255.255.255
ip msdp redistribute list 102

Only sources in subnet 192.168.1.0/24 for groups in range 231.0.0.0/8 are advertised to MSDP peers.

Multicast Source Discovery Protocol (MSDP)

15/12/10 19:01

MSDP, as described in RFC3618, is a mechanism to connect multiple PIM domains together. The general concept is to connect the RPs from different domains to make them aware of multicast sources in each domain.

This is a simple lab for testing MSDP functions. Each Rx-Ry network has address 10.0.xy.0/24 with x,y.

Initial configuration:
- ip addresses of routers
- R2 and R3 are BGP neighbors for both unicast and multicast
- IGP is running between R1-R2 and R3-R4

Configuring PIM:

R1 and R2 are part of a PIM domain with AutoRP enabled.
R2 is the RP

To be sure R2 and R3 are on different domain we filter on R2 and R3 both BSR and AutoRP messages:

interface FastEthernet0/1
ip address 10.0.23.2 255.255.255.0
ip access-group PIM in
ip access-group PIM out
ip pim bsr-border
ip pim sparse-mode
no ip mroute-cache
duplex auto
speed auto
end

R2#sh access-lists PIM
Extended IP access list PIM
10 deny ip any host 224.0.1.40
20 deny ip any host 224.0.1.39
30 deny ip host 224.0.1.39 any
40 deny ip host 224.0.1.40 any
50 permit ip any any

Now let’s configure MSDP between R2 and R3:

R2(config)#ip msdp peer 3.3.3.3 connect-source Loopback0

R3(config)#ip msdp peer 2.2.2.2 connect-source Loopback0

Check correct peering, note that MSDP uses TCP/639:

R2#sh ip msdp peer
MSDP Peer 3.3.3.3 (?), AS 300
Connection status:
State: Up, Resets: 3, Connection source: Loopback0 (2.2.2.2)
Uptime(Downtime): 00:38:35, Messages sent/received: 43/43
Output messages discarded: 0
Connection and counters cleared 02:49:05 ago
Elapsed time since last message: 00:00:49
Local Address of connection: 2.2.2.2
Local Port: 26547, Remote Port: 639

R3#sh ip msdp peer
MSDP Peer 2.2.2.2 (?), AS 200
Connection status:
State: Up, Resets: 3, Connection source: Loopback0 (3.3.3.3)
Uptime(Downtime): 00:39:47, Messages sent/received: 45/45
Output messages discarded: 0
Connection and counters cleared 02:49:43 ago
Elapsed time since last message: 00:00:04
Local Address of connection: 3.3.3.3
Local Port: 639, Remote Port: 26547

Now we test that MSDP actually works as expected.

R1 joins multicast group 227.0.0.1:

R1#sh run inte l0
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
ip igmp join-group 227.0.0.1
no ip mroute-cache
ip ospf 1 area 0
end

R4 should be get an answer pinging R1:

R4#ping 227.0.0.1 so l0 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 227.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
Reply to request 0 from 10.0.12.1, 20 ms

On R3 we can see the entry in MSDP cache:

R3#sh ip msdp sa-cache
MSDP Source-Active Cache - 1 entries
(4.4.4.4, 227.0.0.1), RP 2.2.2.2, MBGP/AS 200, 00:01:14/00:05:31, Peer 2.2.2.2
Learned from peer 2.2.2.2, RPF peer 2.2.2.2,
SAs received: 2, Encapsulated data received: 1

Using Wireshark or debug commands we should be able to see MSDP SA messages:

*Mar 1 04:00:32.927: MSDP(0): 3.3.3.3: Originating SA message
*Mar 1 04:00:32.927: MSDP(0): (4.4.4.4/32, 227.0.0.1)
*Mar 1 04:00:32.927: MSDP(0): (1.1.1.1/32, 227.0.0.8)

msdp_capture

On my next post I'll check how to filter SA messages between MSDP peers. Stay tuned!

www.ifconfig.it

CCIE Stuff

MSDP SA filtering - lab

MSDP SA filtering - theory

Multicast Source Discovery Protocol (MSDP)